On cyber defense, U.S. ‘stuck at the starting line'

Jared Serbu, DoD reporter, Federal News Radio

The head of the National Security Agency said the U.S. has the technical capability to secure its networks from cyber threats, but until Congress takes action on cybersecurity legislation, security improvements are stopped in their tracks.

Gen. Keith Alexander, the director of NSA and the commander of U.S. Cyber Command, said he thinks the biggest barrier to improving the nation's overall cyber posture boils down to a basic lack of education in the nation, both about how networks operate and about the scope of the threat.

Speaking to a government and IT security industry audience Wednesday, Alexander showed frustration about the slow pace toward updating the nation's cyber laws and said failing to prepare ahead of time for cyber attacks would lead to "bad decisions" should U.S. critical infrastructure come under attack from actors such as those who targeted Aramco, Saudi Arabia's state-owned oil company, earlier this year.

Gen. Keith Alexander, commander, U.S. Cyber Command

"I'm concerned that attacks like that are coming, and we're spending a lot of time talking about what we should do, when we should just do it," he said. "We ought to argue it out just like we did in the election yesterday, but then come to a solution and get going. Because from my perspective, we can defend this space. We can secure it better than it is today, and we're stuck at the starting line. We ought to get on with it. I believe that's the push you're going to see from the administration and Congress, and it should be the push from the American people."

Alexander told Symantec's annual government symposium he thinks most of the fighting will continue to be over whether the government should be involved in setting minimum cybersecurity standards for the nation's critical infrastructure operators, something he says is needed.

Meanwhile, there's a lot more political agreement around the notion of enabling more information sharing between and among government and industry and providing legal liability protections to companies that share and act on cyber threat information.

"Government cannot do what the Internet service providers, the antivirus community and the sector-specific agencies do. We need to work together," he said.

Secure information sharing

Alexander said a wide gap exists between companies with solid cybersecurity postures and those that may not even know adversaries are inside their networks. The government, he said, can help improve those companies' security in a way he insisted still would protect civil liberties by providing threat and vulnerability information initially accumulated by NSA.

Robert Joyce, NSA's deputy director for information assurance, said the agency has special insights into cyber vulnerabilities from inside the intelligence community, and it's already come a long way toward packaging that information into formats that can be used by private companies without giving up national security secrets.

Some of the ways NSA is pushing information out includes best practices for hardening IT systems on its public website, developing a standard lexicon to describe threats across government and industry, and when requested, one-on-one advice to IT companies to help them make more secure products, Joyce said.

But Joyce said NSA also wants to help companies incorporate what it knows about ongoing cyber threats into the day-to-day operations of private networks.

"The ultimate objective is to take the classified information and share that in a way that the companies can take action to fix or prevent intrusions," Joyce said.

That's a careful balancing act though. Joyce said while the government wants to share, it has to be careful not to tip off attackers that it knows what they're up to, otherwise they'll simply tweak their malware so it no longer sets off the alarm bells triggered by previous versions.

"We have to do it in a way where the information is still viable and usable by industry, but it's also protected," he said. "There are some interesting partnerships where we're able to take information from NSA, pass it through to the Department of Homeland Security and the FBI and they're able to action that. So a lot of the information that starts out on the intel side of NSA can wind up being actionable by industry sectors in a way that it doesn't have an NSA logo in it, but it has NSA information inside."

Better at declassifying threat data

At DHS, which serves as the primary government and industry go-between for cyber threat information, Larry Zelvin, who directs the department's National Cyber and Communications Integration Center (NCCIC), said DHS is sharing data that originated from within the intelligence community in ways that would have been unthinkable just a few years ago.

"I used to joke that when two people in the intelligence community said good morning to each other, it was top secret," Zelvin said. "No longer. The intelligence community and law enforcement community [are] downgrading information in a way that I've never seen it, and I've had a security clearance for the last 2-1/2 decades. They really go the extra mile to declassify information because they get that the private sector, state and local governments and international partners need information and it needs to be shared. You may not know that it came from the NSA or one of the other three-letter agencies, but it shouldn't matter. At the end of the day, what you care about is the information, not who got it."

But Zelvin said the government needs to become much more advanced in how it shares information. While cyber threats move just shy of the speed of light, warnings about them, so far, do not.

"A lot of this is done by paper. It's done by email. It's posted on a Web page. It's shared by a phone call. We should be far more advanced than we are now," he said. "As I look out at the products we're putting out, I wonder, are people just manually re-typing all of these hashes and numbers and dashes we're sending them? And if so, how successfully are they doing that?"

TAXII takes off

To solve that speed problem, DHS is working on the Trusted Automated Exchange of Indicator Information (TAXII). It's intended to be a set of standardized technical specifications that allows machines to detect cyber threats and communicate them to one another in real-time. While the threat information would be easily readable by humans, it would also let warnings zoom machine-to-machine across networks without requiring multiple layers of bureaucratic intervention.

Zelvin and Joyce say their agencies have taken major steps forward to push cyber threat information out to industry, but like Alexander, they said that data flow needs to happen in both directions.

Joyce said in order for his agency to be effective against cyber threats, NSA needs an accurate picture of the overall cyber threat landscape, something it can't get on its own.

"We'd love to get information about a particular intrusion. If we're able to get that, through the FBI and DHS, we'd be able to make it much more actionable," he said. "We could be the over-the-horizon radar looking out into the foreign space to understand where the threat's coming from and who else they may be going after. That's where it's really important to have that two-way information flow. The things you can tell us about an intrusion in your company will let us understand more about that and whether there's a deeper web behind it."

But right now, Joyce said, the U.S. doesn't have an established technical and policy infrastructure to conduct two-way information sharing at the scale that's needed to counter nation-state cyber threats. The consequences of failing to build one, he said, would be rather dire.

"I think we're going to continue to see the wealth and treasure, the intellectual property of the U.S. leaking out," he said. "I think we're going to see some sort of cyber catastrophe because we're unable to sense it as it comes. You can't overstate the implications."